1. Cellular Networks and Mobile Computing COMS 6998-10, Spring 2013 Instructor: Li Erran Li (lierranli@cs.columbia.edu) http://www.cs.columbia.edu/~lierranli/coms 6998-10Spring2013/ 2/26/2013: Introduction to Cellular Networks

2. Announcements Programming assignment 2 will be due tomorrow Programming assignment 3 will be due March 13. Please start early! – Two lab sessions will be scheduled Please email me the presentation slides the day before! 2

3. Review of Previous Lecture What are the different approaches of virtualization?

4. Review of Previous Lecture What are the different approaches of virtualization? – Bear-metal hypervisor, hosted hypervisor, container (Linux LXC, Samsung Knox)

5. OS Kernel OS Kernel OS Kernel OS Kernel OS Kernel OS Kernel Hypervisor / VMM Hardware Bare-Metal Hypervisor poor device support / sharing Courtesy: Jason Nieh et al.

6. OS Host OS Kernel OS Hypervisor / VMM Hosted Hypervisor kernel module kernel module Hardware poor device performance poor device performance emulated devices emulated devices Courtesy: Jason Nieh et al.

7. Review of Previous Lecture (Cont’d) What approach does Cell use? What are the key design choices for Cell’s extremely low overhead?

8. Review of Previous Lecture (Cont’d) Device namespace – It is designed to be used by individual device drivers or kernel subsystems to tag data structures and to register callback functions. Callback functions are called when a device namespace changes state. – Each VP uses a unique device namespace for device interaction. Cells leverages its foreground-background VP usage model to register callback functions that are called when the VP changes between foreground and background state.

9. Linux Kernel Linux Kernel Power WiFi Cell Radio Framebuffer GPU RTC / Alarms SensorsInputAndroid... Audio/Video Device Namespaces safely, correctly multiplex access to devices device namespaces VP 3 VP 2 VP 1 Courtesy: Jason Nieh et al.

10. Review of Previous Lecture (Cont’d) What are the most expensive flash memory operations? – Random read – Random write – Sequential write – Sequential read

11. Random versus Sequential Disparity Performance for random I/O significantly worse than seq; inherent with flash storage Mobile flash storage classified into speed classes based on sequential throughput  Random write performance is orders of magnitude worse Vendor (16GB) Speed Class Cost US $ Seq Write Rand Write Transcend2264.21.18 RiData2277.90.02 Sandisk4235.50.70 Kingston4254.90.01 Wintec62515.00.01 A-Data63010.80.01 Patriot102910.50.01 PNY102915.30.01 Consumer-grade SD performance Performance MB/s For several popular apps, substantial fraction of I/O is random writes (including web browsing!) Courtesy: Nitin Agrawal et al.

12. Motion State sitting, walking, running Motion State sitting, walking, running Interruptible yes, no Interruptible yes, no Logical Location home, office, mall Logical Location home, office, mall Should OS Manage Context? export Context Data Units (CDUs) rather than raw sensor data – higher-level abstraction than bytes – apps query or subscribe to CDUs each CDU is defined by a CDU Generator: a graph of processing components – combine Generators into composite context dataflow – provide a base CDU vocabulary (that is extensible)

13. Motion Features Motion State sitting, walking, running Motion State sitting, walking, running Audio Audio Features Interruptible yes, no Interruptible yes, no CDU2CDU3 IMU accel, gyro, mag IMU accel, gyro, mag Silence Filter Logical Location home, office, mall Logical Location home, office, mall CDU1 Geolocation GPS, Cell, WiFi Geolocation GPS, Cell, WiFi Location DB app A app G app Z User space Kernel space … Context Data Generators CondOS Design other OS services Scheduling Security I/O Memory Management Memory Management Energy Management Energy Management context dataflow example

14. Syllabus Mobile App Development (lecture 1,2,3) – Mobile operating systems: iOS and Android – Development environments: Xcode, Eclipse with Android SDK – Programming: Objective-C and android programming System Support for Mobile App Optimization (lecture 4,5) – Mobile device power models, energy profiling and ebug debugging – Core OS topics: virtualization, storage and OS support for power and context management Interaction with Cellular Networks (lecture 6,7,8) – Basics of 3G/LTE cellular networks – Mobile application cellular radio resource usage profiling – Measurement-based cellular network and traffic characterization Interaction with the Cloud (lecture 9,10) – Mobile cloud computing platform services: push notification, iCloud and Google Cloud Messaging – Mobile cloud computing architecture and programming models Mobile Platform Security and Privacy (lecture 11,12,13) – Mobile platform security: malware detection and characterization, attacks and defenses – Mobile data and location privacy: attacks, monitoring tools and defenses 14

15. Outline Goal of this lecture: understand the basics of current networks and future directions Current Cellular Networks – Introduction – Radio Aspects – Architecture – Power Management – Security – QoS What Is Next? A Clean-Slate Design: Software-Defined Cellular Networks Conclusion and Future Work 15

16. Cellular Networks Impact our Lives More Mobile Connection More Mobile Information Sharing More Mobile Users 16 1010100100001011001 0101010101001010100 1010101010101011010 1010010101010101010 0101010101001010101 More Infrastructure Deployment

17. Mobile Data Tsunami Challenges Current Cellular Technologies Global growth 18 times from 2011 to 2016 AT&T network: – Over the past five years, wireless data traffic has grown 20,000% – At least doubling every year since 2007 Existing cellular technologies are inadequate – Fundamental redesign of cellular networks is needed Source: CISCO Visual Networking Index (VNI) Global Mobil Data Traffic Forecast 2011 to 2016 17

18. Global Convergence LTE is the major technology for future mobile broadband – Convergence of 3GPP and 3GPP2 technology tracks – Convergence of FDD and TDD into a single technology track GSMWCDMAHSPA TD-SCDMAHSPA/TDD LTE FDD and TDD IS-95cdma2000EV-DO D-AMPS PDC WiMAX ? 3GPP 3GPP2 IEEE

19. LTE deployments 89 commercial networks launched Courtesy: Zoltán Turányi

20. Mobile subscriptions by technology 2008-2017 (estimate) Courtesy: Zoltán Turányi

21. 3GPP introduction 3 rd Generation Partnership Program – Established in 1998 to define UMTS – Today also works on LTE and access-independent IMS – Still maintains GSM 3GPP standardizes systems – Architecture, protocols Works in releases – All specifications are consistent within a release

22. 3GPP TS 23.401 V11.2.0 Stage 1 Requirements “It shall be possible to...” “It shall support…” 3GPP way of working E.g., 22-series specs Stage 2 Architecture Nodes, functions Reference points Procedures (no errors) Stage 3 Protocols Message formats Error cases E.g., 23-series specs E.g., 29-series specs Specification numbering example: Spec. number TS=Technical Specification (normative) TR=Technical Report (info only) Release Consistent set of specs per release New release every 1-2 years Updated after a meeting Courtesy: Zoltán Turányi

23. 3GPP specification groups 2G 3G/LTE System Protocols

24. Starting points on 3GPP specifications http://www.3gpp.org/specification-numbering – Pointers to the series of specifications – Architecture documents in 23-series23-series Main architecture references – 23.002 – Overall architecture reference 23.002 – 23.401 – Evolved Packet Core with LTE access, GTP- based core 23.401 – 23.060 – 2G/3G access, and integration to Evolved Packet Core 23.060 – 23.402 – Non-3GPP access, and PMIP-based core 23.402 Courtesy: Zoltán Turányi

25. Example A base station with 3 sectors (3 cells) Courtesy: Zoltán Turányi

26. Large distances – Terminals do not see each other – Tight control of power and timing needed – Highly variable radio channel – quick adaptation needed Many users in a cell – A UMTS cell can carry roughly 100 voice calls on 5 MHz – Resource sharing must be fine grained – but also flexible Quality of Service with resource management – Voice – low delay, glitch-free handovers – Internet traffic – more, more, more Battery consumption critical – Low energy states, wake-up procedures – Parsimonious signaling Key challenges Courtesy: Zoltán Turányi

27. Radio basics

28. Physical Layer: UMTS Simultaneous meetings in different rooms (FDMA) Simultaneous meetings in the same room at different times (TDMA) Multiple meetings in the same room at the same time (CDMA) 28 Courtesy: Harish Vishwanath

29. Code Division Multiple Access (CDMA) Use of orthogonal codes to separate different transmissions Each symbol or bit is transmitted as a larger number of bits using the user specific code – Spreading Spread spectrum technology – The bandwidth occupied by the signal is much larger than the information transmission rate – Example: 9.6 Kbps voice is transmitted over 1.25 MHz of bandwidth, a bandwidth expansion of ~100 29 Courtesy: Harish Vishwanath Physical Layer: UMTS (Cont’d)

30. Uses spread-spectrum to separate users Common 5 MHz channels Supports soft-handover – Multiple base stations send/receive same data to the user – Recombining the two paths result in better channel – Requires real-time network between base station and RNC UMTS – Universal Mobile Telecommunication System CDMA – Code Division Multiple Access UE – User Equipment RNC – Radio Network Controller RNC

31. Resource control Cost: More radio resources More battery need HSPA channel (packet-oriented high data rate) HSPA Common channel (low data rate, random access) FACH Battery saving (connected) Battery saving (disconnected) IDLE Cost: RNC processing power when switching between states Dedicated channels (64, 128, 384 kbits/s, 2 Mbit/s) DCH URA Courtesy: Zoltán Turányi

32. HSPA High Speed Packet Access – Packet oriented extension to WCDMA – Time Division Multiplexing within a common channel Opportunistic scheduling – Users with currently good reception receive more resources – Higher overall capacity than equal share Hybrid ARQ with soft combining – Only additional redundancy is transmitted on a frame error, not the full frame Most radio functions moved to NodeB No soft handover in downlink

33. LTE air interface The key improvement in LTE radio is the use of OFDM Orthogonal Frequency Division Multiplexing – 2D frame: frequency and time – Narrowband channels: equal fading in a channel Allows simpler signal processing implementations – Sub-carriers remain orthogonal under multipath propagation One resource element One resource block 12 subcarriers during one slot (180 kHz × 0.5 ms) One OFDM symbol One slot 12 subcarriers time frequency Frame (10 ms) Subframe (1 ms)Slot (0.5 ms) Time domain structure

34. Orthogonal Frequency Division Multiple Access (OFDM)  Closely spaced sub-carriers without guard band  Each sub-carrier undergoes (narrow band) flat fading - Simplified receiver processing  Frequency or multi-user diversity through coding or scheduling across sub-carriers  Dynamic power allocation across sub- carriers allows for interference mitigation across cells  Orthogonal multiple access Frequency Narrow Band (~10 Khz) Wide Band (~ Mhz) T large compared to channel delay spread Sub-carriers remain orthogonal under multipath propagation T 1 34 Courtesy: Harish Vishwanath LTE air interface: Downlink

35. LTE air interface: Uplink User 1 User 2 User 3  Efficient use of spectrum by multiple users  Sub-carriers transmitted by different users are orthogonal at the receiver - No intra-cell interference  CDMA uplink is non-orthogonal since synchronization requirement is ~ 1/W and so difficult to achieve  Users are carrier synchronized to the base  Differential delay between users’ signals at the base need to be small compared to symbol duration W 35 Courtesy: Harish Vishwanath

36. LTE air interface: Multiplexing  Each color represents a user  Each user is assigned a frequency-time tile which consists of pilot sub-carriers and data sub-carriers  Block hopping of each user’s tile for frequency diversity Time Frequency Typical pilot ratio: 4.8 % (1/21) for LTE for 1 Tx antenna and 9.5% for 2 Tx antennas 36 Courtesy: Harish Vishwanath Pilot sub-carriers

37. UMTS has CELL_FACH – Uplink un-synchronized Base station separates random access transmissions and scheduled transmissions using CDMA codes LTE does not have CELL_FACH – Uplink needs synchronization Random access transmissions will interfere with scheduled transmissions 37 LTE vs UMTS (3G): Physical Layer

38. Assign each Resource Block to one of the terminals – LTE – channel-dependent scheduling in time and frequency domain – HSPA – scheduling in time-domain only Time Frequency User #1 scheduled User #2 scheduled 1 ms 180 kHz Time-frequency fading, user #1 Time-frequency fading, user #2 LTE Scheduling Courtesy: Zoltán Turányi

39. LTE vs. WCDMA No Soft handover in OFDM – All real-time functions can be done in the base station – No need for a central RNC – No need for a real-time network between the RNC and base station Packet oriented – Supports bursty traffic and statistical multiplexing by default – No specific support for circuit switched traffic Much more flexible spectrum use 6 RB (  1.4 MHz) 100 RB (  20 MHz) Courtesy: Zoltán Turányi

40. Architecture

41. CS CN 3G Radio Access Network PS Core Network Why separate RAN and CN? – Two CNs with same RAN – Multiple RANs with same CN – Modularization – Independent scaling, deployment and vendor selection Why two GSNs? – Roaming: traffic usually taken home – Independent scaling, deployment and vendor selection – User can connect to multiple PDNs Pre-rel.8 Architecture RNC GGSN Gn/Gp NodeB Iub L1 HSPA scheduling Real-time radio control Radio Resource Management Soft handover UP Ciphering Header Compression First-hop router GW towards external PDNs VPN support over Gi IP address management Policy Control Gi GPRS – Generic Packet Radio Service GGSN – Gateway GPRS Support Node SGSN – Serving GPRS Support Node RNC – Radio Network Controller PDN – Packet Data Network CN – Core Network PS – Packet Switched CS – Circuit Switched MSC – Mobile Switching Center HSS – Home Subscriber Server MSC SGSN IuPS IuCS Manage CN procedures HSS connection (authenticator) Idle mode state Lawful Intercept Bearer management

42. CS CN 3G Radio Access Network PS Core Network RNC GGSN Gn/Gp NodeB Iub L1 HSPA scheduling Real-time radio control Radio Resource Management Soft handover UP Ciphering Header Compression First-hop router GW towards external PDNs VPN support over Gi IP address management Policy Control Gi MSC SGSN IuPS IuCS Manage CN procedures HSS connection (authenticator) Idle mode state Lawful Intercept Bearer management Drivers for change Vendor lock-in due to proprietary Iub features Too many specialized user plane nodes Overhead of separate CS core when bulk of traffic is PS Complex, real- time RAN Courtesy: Zoltán Turányi

43. From 3G to EPC/LTE architecture 3G Radio Access Network PS Core Network LTE Radio Access Network eNodeB eNodeB – Evolved Node B RNC functions moved down to base station Evolved Packet Core (EPC) SGi PDN GW SGW S1-UP Only two user plane nodes in the typical case. user plane Packet Data Network GW Serving GW PS only RAN and CN MME S11 Mobility Management Entity User plane/control plane split for better scalability. control plane S1-CP CS CN MSC IuCS RNC GGSN Gn/Gp NodeB Iub Gi SGSN IuPS Courtesy: Zoltán Turányi

44. Why separate SGW and PDN GW? LTE Radio Access Network eNodeB eNodeB – Evolved Node B Evolved Packet Core (EPC) SGi SGW Serving GW MME Mobility Management Entity S1-CP PDN GW S1-UP Packet Data Network GW S11 S5/S8 SGW and PDN GW separate in some special cases: Roaming: PDN GW in home network, SGW in visited network Mobility to another region in a large network Corporate connectivity Courtesy: Zoltán Turányi

45. B2*: Inter-AS MM on top of GPRS Core B1*: All accesses connected to EPC GPRS Core Debate of 2005: “B1 vs B2” Conclusion: B1. Better integration between 3GPP accesses Fewer user plane entities GERAN UTRAN SGSN LTE Evolved Packet Core Internet/ Op.nw. Non-3GPP access GERAN UTRAN SGSN LTE Evolved Packet Core Internet/ Op.nw. Non-3GPP access GGSN Evolved Access Inter-AS MM *Note: Simplified view Courtesy: Zoltán Turányi

46. Interworking with 3G SGW PDN GW S5 eNodeB S1-CP MME S1-U S11 SGi HSS MSC RNC IuCS NodeB Iub SGSN IuPS UE MSC – Mobile Switching Center Gn Courtesy: Zoltán Turányi

47. Interworking with non-3GPP accesses SGW PDN GW S5 eNodeB S1-CP MME S1-U S11 SGi HSS MSC RNC IuCS NodeB Iub SGSN IuPS Non-3GPP Access (cdma2000, WiMax, WiFi) S2 UE PMIP – Proxy Mobile IP Gn Courtesy: Zoltán Turányi

48. Debate of 2006: GTP vs. PMIP SGW PDN GW S5 eNodeB S1-CP MME S1-U S11 SGi HSS MSC RNC IuCS NodeB Iub SGSN IuPS Non-3GPP Access (cdma2000, WiMax, WiFi) S2 PMIP GTP GTP? PMIP? GTP PMIP UE Gn Conclusion: Specify both Courtesy: Zoltán Turányi

49. EPC + LTE: 23.401 EPC + 2G/3G: 23.060 SGW PDN GW S5 eNodeB S1-CP MME S1-U S11 SGi HSS MSC RNC IuCS NodeB Iub SGSN IuPS GTP UE GTP Gn Courtesy: Zoltán Turányi

50. EPC + non-3GPP: 23.402 SGW PDN GW S5 eNodeB S1-CP MME S1-U S11 SGi HSS GTP UE PMIP EPC – Evolved Packet Core Non-3GPP Access (cdma2000, WiMax, WiFi) S2 PMIP Courtesy: Zoltán Turányi

51. Access Procedure Cell Search – Base station broadcasts synchronization signals and cell system information (similar to WiFi) – UE obtains physical layer information UE acquires frequency and synchronizes to a cell Determine the start of the downlink frame Determine the cell identity Random access to establish a radio link 51 Base station UE 2 UE 1

52. ClientBase stationCore network Step 1: random access request (pick one of 64 preambles) Step 2: random access response Step 3: transmission of mobile ID Step 4: contention resolution msg Only if UE is not known in Base station Random Access Adjust uplink timing If ID in msg matches UE ID, succeed. If collision, ID will not match! 52

53. Base station Random Access (Cont’d) UE 2 UE 1 Why not carrier sensing like WiFi? Base station coverage is much larger than WiFi AP – UEs most likely cannot hear each other How come base station can hear UEs’ transmissions? – Base station receivers are much more sensitive and expensive 53

54. Modes of operation

55. Used during communication Signaling connection exists between network and UE Both CN and RAN keeps state about the UE UE location is tracked on a cell granularity – Needed to deliver the data Network controlled mobility Connected mode SGWMME

56. Procedure 1.UE measures nearby cells 2.UE sends measurement reports to network 3.Network decides on and controls handover 4.Handover is prepared by network 5.Handover executes Network controlled mobility SGWMME 1. 2. 4. 3. 5 5 5 5 Reason: To allow the network to tune handovers 1.Select proper target cell 2.Network has additional information for handover decision 3.Collect and analyze data for cell planning and troubleshooting 4.Penalize ping-ponging UEs 5.Penalize microcells for fast UEs 6.Cell breathing Courtesy: Zoltán Turányi

57. Handover Procedure LTEFast PMIPv6

58. Used when the UE is not communicating UE location is tracked on a Tracking Area (TA) granularity – eNodeBs advertise their TA – UE periodically listens to advertisements (every few seconds) – UE sends Tracking Area Update to MME, when TA changes – TAU also sent periodically (e.g., once every 2 hours) No eNodeB state is kept for UE When traffic arrives to the UE, the UE is paged Idle Mode

59. UE periodically checks if data is available for it – Wakes up, (re)selects cell, reads broadcast and the paging channel – Exact timing is pseudo-random per UE PAGING › If packet arrives to SGW… –…it buffers the packet –…and notifies MME. –MME sends a Paging Request to all eNodeBs in the TA of the UE –eNodeBs page the UE on its paging slot locally –UE responds with a Service Request… –…eNodeB state is built up… –…and UE is moved to connected state. SGW PDN GW MME UE Courtesy: Zoltán Turányi

60. Idle mode is a great power-saving feature – A system-wide feature – Also saves a lot of RAN resources Balancing of TA size is needed – Too large: many paging messages – Too small: many TAU messages from UE – Lot of optimizations: per-UE TA, overlapping TA, etc. Connected  Idle transitions are costly – Usually a timeout is used to go to idle Not a good fit for chatty packet traffic Easy to attack: an IP address range scan wakes up everyone – Key application design goal: reduce chattyness The Phone OS also has responsibility – However, can be very effective when combined with DRX Idle mode issues

61. LTE RRC State Machine UE runs radio resource control (RRC) state machine Two states: IDLE, CONNECTED Discontinuous reception (DRX): monitor one subframe per DRX cylce; receiver sleeps in other subframes 61 Courtesy:Morley Mao

62. UMTS RRC State Machine State promotions have promotion delay State demotions incur tail times Tail Time Delay: 1.5s Delay: 2s ChannelRadio Power IDLENot allocated Almost zero CELL_FACHShared, Low Speed Low CELL_DCHDedicated, High Speed High Courtesy: Feng Qian 62

63. IDLE: procedures based on reception rather than transmission – Reception of System Information messages – Cell selection registration (requires RRC connection establishment) – Reception of paging messages with a DRX cycle (may trigger RRC connection establishment) – Location and routing area updates (requires RRC connection establishment) 63 Why Power Consumptions of RRC States so different?

64. CELL_FACH: need to continuously receive (search for UE identity in messages on FACH), data can be sent by RNC any time – Can transfer small data – UE and network resource required low – Cell re-selections when a UE moves – Inter-system and inter-frequency handoff possible – Can receive paging messages without a DRX cycle 64 UMTS RRC State Machine (Cont’d)

65. CELL_DCH: need to continuously receive, and sent whenever there is data – Possible to transfer large quantities of uplink and downlink data – UE and network resource requirement is relatively high – Soft handover possible for dedicated channels and Inter-system and inter-frequency handover possible – Paging messages without a DRX cycle are used for paging purposes 65 UMTS RRC State Machine (Cont’d)

66. Security

67. Subscriber Identity Module – Usually embedded in a physical SIM card Initially specified in 1990 for GSM (freeze date of TS 11.11) Carries subscriber credentials – IMSI: International Mobile Subscriber Identity – 14-15 digits MCC: Mobile Country Code – 3 digits MNC: Mobile Network Code – 2 or 3 digits Rest of the digits identify the subscriber – Keying material (essentially symmetric keys) In the network HSS stores subscriber data – Including keying and phone number (MSISDN) Enables roaming and phone replacement – Key features in GSM The SIM card MSISDN – Mobile Subscriber ISDN Number

68. KEY hierarchy Source: 33.401 Security architecture AuC – Authentication Centre AKA – Authentication and Key Agreement NH – Next Hop SGW PDN GW S5 eNodeB S1-CP MME S1-U S11 SGi HSS UE AuC AKA procedure USIM Courtesy: Zoltán Turányi

69. Authentication at initial attach

70. S1 User Plane Security SGW PDN GW S5 eNodeB S1-CP MME S1-U S11 SGi HSS UE AuC UP ciphering USIM No UP ciphering! RAN Core Network RNC SGSN GGSN IuPS Gn/Gp NodeB Iub L1 HSPA scheduling Real-time radio control Radio Resource Management Soft handover UP Ciphering Header Compression Manage CN procedures HSS connection (authenticator) Idle mode state Lawful Intercept Bearer management First-hop router GW towards external PDNs VPN support over Gi IP address management Policy Control Gi UE Courtesy: Zoltán Turányi

71. S1 UP security SGW PDN GW S5 eNodeB S1-CP MME S1-U S11 SGi HSS UE AuC UP ciphering USIM IPsec tunnel Courtesy: Zoltán Turányi

72. MME pre-calculates NH keys – From K ASME and NCC – NCC: NH Chaining Counter 3: Source eNodeB sends {NH, NCC} to target eNodeB Target eNB uses NH for K eNB UE also calculates new K eNB 12: MME sends next {NH, NCC} to target eNB handover

73. QoS architecture

74. Overprovisioning is difficult – Resources are scarce (few 10s of MHzs) – Equipment and spectrum expensive – You need to use well what you have Everything is more complicated – Due to the wide-area radio delays are higher – Primary application is delay sensitive Money – People are (somewhat more) willing to pay – There is an infrastructure to charge – Service and price differentiation happens QoS MATTERS IN CELLULAR

75. A bearer is a L2 packet transmission channel – …to a specific external Packet Data Network, – …using a specific IP address/prefix, – …carrying a specific set of IP flows (maybe all) – …providing a specific QoS. In 2G/3G also known as “PDP Context” Bearer setup is explicitly signaled – In LTE one bearer is always set up at attachment Bearers SGW PDN-GW S5 eNodeB S1-CP MME S1-U S11 SGi HSS UE See more in: 23.107 QoS concept and architecture Courtesy: Zoltán Turányi

76. Service Data Flow Bearers default bearer Service Data Flow dedicated bearer Service Data Flow PDN connection APN traffic Terminal traffic IP microflows A set of IP microflows A set of IP microflows with the same QoS Traffic with the same IP address or IPv6 prefix Traffic to the same external network All traffic of a UE Dedicated bearer: bearer with special QoS Default bearer: rest of traffic with default QoS SGW PDN GW eNodeB MME SGi UE PDN GW SGi PDN 1PDN 2 APN1 PDN – Packet Data Network APN – Access Point Name APN2 External networks Two default bearers to different APNs Courtesy: Zoltán Turányi

77. Terminal apps do not use QoS – Original IP socket API has minimal QoS features No widespread QoS mechanism in fixed networks Usually IP app developers do not care about network QoS – A number of QoS API failures Conceptual difficulties – QoS must be authorized and charged QoS can only be effectively decided in the face of its price – Complex QoS descriptors Determining QoS parameters is challenging – E.g., 10 -3 or 10 -4 bit error rate? – Yet not flexible enough to cater for e.g., VBR video Why then no QoS? (Apart from voice)

78. Pre-rel.8 QoS descriptor Maximum bit rate (octets 8-9) 0 0 0 0 0 0 0 1 The maximum bit rate is binary coded in 8 bits, using a granularity of 1 kbps 0 0 1 1 1 1 1 1giving a range of values from 1 kbps to 63 kbps in 1 kbps increments. 0 1 0 0 0 0 0 0 The maximum bit rate is 64 kbps + ((the binary coded value in 8 bits –01000000) * 8 kbps) 0 1 1 1 1 1 1 1giving a range of values from 64 kbps to 568 kbps in 8 kbps increments. 1 0 0 0 0 0 0 0 The maximum bit rate is 576 kbps + ((the binary coded value in 8 bits –10000000) * 64 kbps) 1 1 1 1 1 1 1 0giving a range of values from 576 kbps to 8640 kbps in 64 kbps increments. 1 1 1 1 1 1 1 10kbps If the sending entity wants to indicate a Maximum bit rate for uplink higher than 8640 kbps, it shall set octet 8 to ”11111110”, i.e. 8640 kbps, and shall encode the value for the Maximum bit rate in octet 17. Source: 24.008 Core network protocols; Stage 3

79. QCI: QoS Class Indicator – Scalar value encompassing all packet treatment aspects – 9 mandatory, operators can define new MBR: Max bitrate GBR: Guaranteed bitrate – If nonzero, admission control is performed ARP: Allocation and Retention Priority – priority (scalar): Governs priority at establishment and handover – pre-emption capability (flag): can this bearer pre-empt another? – pre-emption vulnerability (flag): can another bearer pre-empt this one? AMBR: Aggregated Maximum bitrate – Both a per-terminal and per-APN value #1: Simple parameters Source: 23.401, 23.203 GPRS Enhancements for E-UTRAN Policy and Charging Control Architecture

80. Allow a network application request QoS – Terminal app can remain QoS un-aware – Network can fully control QoS provided & payment charged First specified in Release 7 for 3G – Not all terminals support it Mandatory mode in LTE #2: Network initiated bearers App LTE App LTE + EPC UENetwork 1. Session setup 2. Request QoS 3. Bearer setup No QoS API Courtesy: Zoltán Turányi

81. Policy and Charging SGW PDN GW S5 eNodeB S1-MME MME S1-U S11 SGi PCRF Gx Rx UE Flow descriptor (5-tuple) QoS descriptor Charging rules Gating (on/off) Flow descriptor (5-tuple) Bandwidth Application (voice/video/etc.) App Policy and Charging Rules Function – Decides on QoS and Charging – Controls gating – Service Policy Based on Request Subscription data – Makes no resource decisions Courtesy: Zoltán Turányi

82. 23.402 23.401 Debate of 2007: On-path vs. off-path for QoS/policy in 23.402 GTP signalling on user plane path to set up “bearers” Packets are marked to belong to one of the bearers No “bearer” with PMIP Filters on SGW to classify into bearers on S1 Motivation: – Alignment with other non-3GPP accesses – Be different from GTP, experiment Serving GW hPCRF Gx S8-PMIP PDN GW S9 Serving GW PCRF Gx S8-GTP PDN GW S1-GTP vPCRF Gxc Filters GTP signalling Filters GTP signalling Filters

83. What Is Next?

84. LTE Evolution LTE-A – meeting and exceeding IMT-Advanced requirements – Carrier aggregation – Enhanced multi-antenna support – Relaying – Enhancements for heterogeneous deployments LTE LTE-A LTE-B LTE-C Rel-8 Rel-9 Rel-10 Rel-11 Rel-12 Rel-13 Rel-14

85. LTE Evolution LTE-B – Work starting fall 2012 Topics (speculative) – Device-to-device communication – Enhancements for machine-to-machine communication – Green networking: reduce energy use – And more… LTE LTE-A LTE-B LTE-C Rel-8 Rel-9 Rel-10 Rel-11 Rel-12 Rel-13 Rel-14

86. A Clean-Slate Design: Software- Defined Cellular Networks

87. Cellular Core Network eNodeB 3 S-GW 2 P-GW 87 S-GW 1 eNodeB 1 eNodeB 2 Internet and Other IP Networks GTP Tunnels UE 2 UE 1 LTE Data Plane is too Centralized UE: user equipment eNodeB: base station S-GW: serving gateway P-GW: packet data network gateway Data plane is too centralized Scalability challenges at P-GW on charging and policy enforcement!

88. 88 LTE Control Plane is too Distributed Problem with Inter- technology (e.g. 3G to LTE) handoff Problem of inefficient radio resource allocation User Equipme nt (UE) Gateway (S-GW) Mobility Management Entity (MME) Network Gateway (P-GW) Home Subscriber Server (HSS) Policy Control and Charging Rules Function ( PCRF) Station (eNodeB) Base Serving Packet Data Control Plane Data Plane No clear separation of control plane and data plane

89. Advantages of SDN for Cellular Networks Advantage of logically centralized control plane – Flexible support of middleboxes – Better inter-cell interference management – Scalable distributed enforcement of QoS and firewall policies in data plane – Flexible support of virtual operators by partitioning flow space Advantage of common control protocol – Seamless subscriber mobility across technologies Advantage of SDN switch – Traffic counters enable easy monitoring for network control and billing 89

90. eNodeB 3 90 eNodeB 1 eNodeB 2 Internet and Other IP Networks Path setup for UE by SDN controller UE 2 UE 1 Flexible Middlebox Support Easy to control flow to middleboxes for content adaptation, echo cancellation, etc Reduce traffic to middleboxes SDN Switch Middlebox SDN provides fine grained packet classification and flexible routing

91. eNodeB 3 91 eNodeB 1 eNodeB 2 Internet and Other IP Networks UE 2 UE 1 Flexible Middlebox Support (Cont’d) Easy to satisfy policy for traffic not leaving cellular network Reduce the need for extra devices SDN Switch Path setup for UE by SDN controller SDN switch can support some middlebox functionality

92. Monitoring for Network Control & Billing Packet handling rules in SDN switches can efficiently monitor traffic at different level of granularity – Enable real time control and billing 92 Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport RuleActionStats 1.Forward packet to port(s) 2.Encapsulate and forward to controller 3.Drop packet 4.Send to normal processing pipeline + mask Packet + byte counters

93. eNodeB 3 93 eNodeB 1 eNodeB 2 Internet and Other IP Networks UE 2 UE 1 Seamless Subscriber Mobility SDN provides a common control protocol works across different cellular technologies Forwarding rules can be pushed to switches in parallel SDN Switch SDN Control Plane Path setup for UE by SDN controller X-Gen Cellular Network X+1-Gen Cellular Network

94. eNodeB 3 94 eNodeB 1 eNodeB 2 Internet and Other IP Networks UE 2 UE 1 Distributed QoS and ACL Enforcement LTE’s PCEF is centralized at P-GW which is inflexible SDN Switch Access policy checked In SDN switches distributedly Path setup for UE by SDN controller

95. eNodeB 3 95 eNodeB 1 eNodeB 2 Internet and Other IP Networks UE 2 UE 1 Virtual Operators Virtual operators may want to innovate in mobility, billing, charging, radio access SDN Switch Slicing Layer: CellVisor Virtual Operator(VO ) (Slice 1) Virtual Operator(VO ) (Slice 1) Virtual Operator (Slice N) Virtual Operator (Slice N) Flexible network virtualization by slicing flow space VO 1 VO 2

96. eNodeB 3 96 eNodeB 1 eNodeB 2 Internet and Other IP Networks UE 2 UE 1 Inter-Cell Interference Management LTE distributed interference management is suboptimal SDN Switch Network Operating System: CellOS Radio Resource Manager Central base station control: better interference management Global view and more computing power

97. CellSDN Architecture CellSDN provides scalable, fine-grain real time control with extensions: – Controller: fine-grain policies on subscriber attributes – Switch software: local control agents to improve control plane scalability – Switch hardware: fine-grain packet processing to support DPI – Base stations: remote control and virtualization to enable flexible real time radio resource management 97

98. Mobility Manager Subscriber Information Base Policy and Charging Rule Function Network Operating System: CellOS Infra- structure Routing Cell Agent Radio Hardware Packet Forwarding Hardware Cell Agent Radio Resource Manager Packet Forwarding Hardware Cell Agent CellSDN Architecture (Cont’d) 98 DPI to packet classification based on application SCTP instead of TCP to avoid head of line blocking Offloading controller actions, e.g. change priority if counter exceed threshold Translates policies on subscriber attributes to rules on packet header Central control of radio resource allocation

99. Cell Agent Radio Hardware Packet Forwarding Hardware Cell Agent Packet Forwarding Hardware Cell Agent CellSDN Virtualization 99 Slicing Layer: CellVisor Network OS (Slice 1) Network OS (Slice 1) Network OS (Slice 2) Network OS (Slice 2) Network OS (Slice N) Network OS (Slice N) Slice semantic space, e.g. all roaming subscribers, all iPhone users

100. Conclusion and Future Work LTE promises hundreds of Mbps and 10s msec latency There are key architecture problems need to be solved – Software-defined networking can help! 100